Fixes

The primary rationale for the release was a problem introduced by a bugfix in 1.12.10
with regards to the ViewRenderer action helper. The fix was incorrectly
resolving the controller name, which led to problems primarily when using a custom
dispatcher with your application. 1.12.11 introduces a proper fix that addresses the
original issue, as well as the problem it introduced.

]]>0Announcing the Zend Framework 3 RoadmapWed, 21 Jan 2015 17:00:00 +0000http://framework.zend.com/blog/announcing-the-zend-framework-3-roadmap.html
http://framework.zend.com/blog/announcing-the-zend-framework-3-roadmap.htmlmatthew@zend.com (Matthew Weier O'Phinney)Matthew Weier O'Phinney
The most often-asked questions we get around the Zend Framework project
include: Where is Zend Framework heading? When will Zend Framework 3 be
released? What changes and enhancements should we expect?

Since inception, our goal for Zend Framework has been to further the art of
PHP and ensure our users concentrate on the business logic of their
application rather than wasting time reinventing the plumbing. The plumbing is
Zend Framework’s job. We have continued to evolve ZF with best-in-class web
development practices, and have innovated in areas where we saw gaps; as an
example, we observed developers struggling with API development, which led us
to create the Apigility project on top of ZF2.

We have built an incredibly powerful framework with Zend Framework 2 that met
its key goals of flexibility, consistency and testability. However, the world
has changed since ZF2 was released, and the project needs to move with the
times. With that in mind, we have gathered feedback from our users and core
contributors to map the path forward.

Zend Framework 3 will be an evolution from ZF2, concentrating on simplicity,
reusability, and performance.

Enabling Apigility to work as a middleware stack, for better performance
and simplicity, with the same streamlined, powerful user experience.

Optimizing for PHP 7, but supporting PHP
5.5 onwards.

We have already done a lot of thinking (and coding!) in this direction, and we
intend to release ZF3 in Q3 2015 — yes, this year!

As a community project, we need everyone's help to make our plans a reality.
Please join the effort and help us create Zend Framework 3! You can do so in
the zf-contributors
mailing list, or via the #zftalk.dev Freenode IRC channel.

We are very excited about the changes to come, and hope you are as well!

— The ZF Team —

P.S. We will be posting some additional, more detailed thoughts regarding our
observations, the statement of direction, timelines, and technology choices we
are making in more detailed, follow-up posts. Keep an eye on our blog for
these updates.

Incremental improvements

Zend Framework 1.12 is in maintenance mode, but that has not slowed
activity on the repository; this release features almost 40 bugfixes!
Among other changes, contributors have also provided improvements for
our build process, including the removal of tests and documentation
when adding ZF1 to your project via Composer.

Thank You!

As usual, thanks go out to all contributors to this version; Zend Framework 1's
stability and robustness is due to your efforts. I also want to thank
Rob Allen and
Frank Brückner for shepherding
along contributions and acting as release managers!

2.3.4

Thank You!

As usual, thanks go out to all contributors to these versions; Zend Framework's
continued improvement is based on your efforts. I also want to thank
Marco Pivetta in particular, for the tireless
effort he has made in triaging and merging pull requests for the 2.3.4 release; his
efforts have been invaluable.

Notable Changes

#418 Improved regex for
SQL group, order, from statement. This is an improvement of the Security Advisory
ZF2014-04,
to prevent potential SQL injection. This PR that can be a potential BC break for
complex SQL code. See below for more information.

#414 adds the
Microsoft_Console component from the Windows Azure SDK for PHP into
the Zend_Service_Console component, ensuring that WindowsAzure
command line functionality included in the framework can now work.

#382 ensures that
orphaned metadata cache files are removed when Zend_Cache::CLEANING_MODE_ALL
is used.

#410 ensures that calls
to reset the status of the libxml entity loader happen as soon as possible,
to prevent potential threading issues under php-fpm (since the settings
are per process, not per-request, in that environment).

IBM i Support

This release contains a number of fixes to ensure the ability to use Apigility on IBM i. Among them:

We are pinning support to Zend Framework 2.3.2 and above, which contains updates supporting DB2:

Full transaction support.

Fixed LIMIT support, allowing for paginated DB result sets.

Fixes to database-backed authentication

The ability to specify database driver options via the Admin UI. Most DB2 connections need additional driver options specified, and you can now do so via the UI.

UI Improvements

One lingering issue we've had reported is an error when creating APIs: the UI reports an error, but the API has been created. We made several patches that, in aggregate, should resolve these issues going forward:

We discovered that our promise chains in the Admin UI were not optimally constructed, and could potentially raise errors under the appropriate conditions; these have been fixed.

We introduced a timeout between successful completion of API creation and deletion calls, and subsequent fetching of the API list from the Admin API. In working with Julien Guittard, we were able to find an optimal timeout that resolves the issue.

Additionally, for those users using Apache to serve the Admin UI and Admin API, we have stopped using backslashes in URI identifiers (Apache rejects URI-encoded slashes by default).

Other fixes were also made that are detailed under the "zf-apigility-admin" header below.

Documentation fixes

zf-apigility-documentation was not using the correct configuration key to discover input filters, which meant it was not reporting fields at all. This had further implications for zf-apigility-documentation-swagger, which was then unable to expose models based on those fields. This situation is now resolved.

Collections

While Apigility has supported retrieving collections in REST services, creating, replacing, updating, or deleting them has been an exercise left to the developer previously. With this release, field definitions can now be used to validate the items passed to collections, giving collections first-class support.

Console

zf-console was extensively updated, with many contributions and ideas from Zend's Slavey Karadzhov. These include:

Simplification of mapping the command name to the route. By default the command name is considered the first argument of the route now.

Command handlers may now be specified in the configuration via the handler key for a command.

A number of useful CLI-specific filters are now provided, including an Explode filter (split comma or other delimited arguments to an array), a QueryString filter (specify arguments in query string format), and a Json filter (specify arguments in JSON).

Better error handling and error reporting.

The ability to generate autocompletion scripts for your CLI commands.

zf-console is shaping up as a capable microframework for CLI commands!

Thank You!

Many thanks to everyone who contributed fixes, big or small, towards this release!

This is the second maintenance release in the 2.3 series, and resolves more than 100 issues.

Notable Changes

The following changes are noted as being fixes that may have potential implications
for existing applications.

#6295
introduces a slight change to how Zend\Form\Fieldset handles disabled
values. Previously, they were represented in the form, and still
processed on submit, which allowed the possibility of changing the
value. This pull request modifies the behavior to extract the original
value from any bound data if present and use that value instead, which
is the correct behavior.

#6423
modifies the behavior of Zend\Validator\File\UploadFile to only
return the FILE_NOT_FOUND error if upload was successful; previously,
it incorrectly would report this error even if an error occurred during
upload.

This release contains an important security fix in
Zend_Db_Select; we strongly encourage users of this component to
upgrade.

Security Fixes

One new security advisory has been made, and has been patched in 1.12.7:

ZF2014-04, which mitigates
a potential SQL Injection (SQLi) vector when usiing ORDER BY clauses in
Zend_Db_Select; SQL function calls were improperly detected, rendering
ORDER clauses such as MD5(1);drop table foo unfiltered. The
logic has been updated to prevent SQLi vectors, and users of this functionality
are strongly encouraged to upgrade immediately.

For more information, follow the link above; if you use the component
affected, please upgrade as soon as possible.

Important Changes

In addition to the security fix above, a number of other important changes
were made, including:

Support for PHPUnit 4 and 4.1, both within the Zend Framework test suite
and inside the Zend_Test_PHPUnit component.

Backported support from ZF2 for recursive page removal within
Zend_Navigation.

Support within the Hostname validator for the newly released
IANA top level domains.

Forward-compatibility changes were made to ensure Zend Framework 1 will run on
the upcoming PHP 5.6.

Thank You!

As always, I'd like to thank the many contributors who made this
release possible, particularly Cassiano Dal Pizzol and Lars Kneschke for
reporting the security vulnerability, and Enrico Zimuel for patching it.